Accounting Information and Security Management

Case Study 1: The Bangladesh Bank Heist (2016) – $81 Million Cyber Theft

Overview: The cyber theft began when emails containing malicious software
compromised the system of Bangladesh Bank. Playing with different time zones of
three separate financial institutions, the hackers made fraudulent bank transfers.
Due to different operating hours, it allowed the hackers to seamlessly transfer $81
million to be laundered in the Philippines.

How the Attack Happened:

1. The cyberattack began when employees of Bangladesh Bank received emails

containing malware. This malware enables the attackers to infiltrate the
bank’s system. Once they had infiltrated the system, the hackers played with
the timezone differences of three financial institutions: Bangladesh Bank, the
Federal Reserve Bank in New York, and the Rizal Commercial Banking
Corporation (RCBC) in the Philippines.
2. The attackers initiated bank transfers. Upon recognizing that the transactions
were flagged as suspicious, Bangladesh Bank were unable to contact Federal
Reserve due to its operating hours being closed.
3. The stolen money was then transferred into five separate accounts at RCBC in
the Philippines. From there, the money was then laundered into local casinos.

Security Failures Identified:

 The employees of Bangladesh Bank lack security training, particularly in

identifying cyberattack attempts such as clicking random links and opening
email attachments from unknown senders.
 Financial institutions have no alternative way to contact each other to
promptly address urgent concerns outside of its operating hours.
 The RCBC failed to flag the large amount of money transferred.

Recommendations:

Financial institutions shall ensure that they uphold their duty of extraordinary
diligence at all times, even after their operating hours. This can be made by
creating centralized communications for all banks around the world, wherein it is
easy for them to get in touch with each other whenever there are urgent concerns
outside operating hours. In addition, all employees should have regular training
sessions to enhance their ability to identify suspicious links, cyberattack attempts,
and unusual transactions. These security measures can make a difference to
strengthen their security and uphold their duty.
Case Study 2: The Carbanak Cybercrime Group (2013–2020) – $1 Billion
Bank Heist
Overview: For years, the cybercrime gangs Carbanak and Cobalt used an
advanced malicious software to get unauthorized access to several banks across
Europe and globally. The said groups targeted the vulnerabilities in banking security
infrastructure and took advantage of the emerging technology, cryptocurrency, to
launder the stolen money.

How the Attack Happened:

1. Cybercrime groups sent an email containing phishing links that install

malicious software to employees of their targeted financial institutions. These
led the cybercrime groups to know how the internal system of their targeted
bank works and to have a remote control over their ATMs.
2. From there, they use other accounts to create fictitious transactions that
enabled them to withdraw cash in a way that ATMs are dispensing money on
their own without the need for an ATM card at a predetermined time.
3. Once money was collected, the said cybercrime groups took advantage of the
use of cryptocurrency to launder the money.

Security Failures Identified:

1. Financial institutions have outdated security system that traces unusual

account activities.
2. Employees lack the necessary training skills to identify suspicious links and
online activities that could indicate a cyberattack.
3. Financial institutions failed to have regular maintenance of their security
policies that kept the attackers from stealing money unnoticed.
Recommendations:
Financial institutions have the power to impose the highest degree of protection for
the money of their clients. This can be achieved through regularly updating their
system to prevent being vulnerable to evolving cyberattacks. Also, they must
prioritize the modernization of their ATM infrastructure.

Case Study 3: The Equifax Data Breach (2017) – 147 Million Records
Exposed

Overview: A multinational consumer credit reporting company, Equifax, faced a

data breach when the software it used became vulnerable, which the company
failed to patch despite having security updates, leading to an exposure of 147
million people’s personal information.

How the Attacked Happened:

 1. Apache Software Foundation reported that their software, which was being
used by Equifax had vulnerabilities. Apache sent directions to the latter to
patch it, but Equifax was unable to identify the vulnerability when scanned.
2. Hackers were able to obtain usernames and passcodes of employees.
3. They were able to breach the personal information of 147 million people,
including names, social security numbers, and credit card information.

Security System Identified:

1. The software vulnerability was not instantly addressed by Equifax.

2. The networks were easily attacked because of a lack of divisions.
3. Inadequate security measures failed to effectively identify and address
vulnerabilities.

Recommendations:

Operating a business that requires the collection of personal information calls for
the implementation of a centralized network division. This policy ensures that each
network has an independent system to defend against cyberattacks. In this way, if
one division becomes compromised, the entire network is not affected, hence, it
prevents hackers from gathering all information. In addition, it is easier to manage a
small data breach rather than to trace down a large-scale data breach.

IV. Compare the Bangladesh Bank Heist (2016), Carbanak Attacks (2013–
2020), and Equifax Data Breach (2017). What were the key similarities and
differences in how these financial cyberattacks were executed?

Key Similarities:
1. The Bangladesh Bank Heist and Carbanak Attacks were executed because of
phishing activities that involve emails containing malicious software.
2. Bangladesh Bank and targeted financial institutions in Carbanak Attacks
employees lack the necessary skills to identify security vulnerabilities.
3. All three of the attacks involve valued items such as personal information and
money.

Key Differences:
1. Only Equifax Data Breach involves personal information such as names and
social security numbers to be breached.
2. The Bangladesh Bank Heist involves playing with time zone differences.
3. The Carbanak Atatcks use ATMs to dispense money and use cryptocurrency
to launder stolen money.
V. What were the major regulatory consequences faced by Equifax after
the breach? How does this compare to financial institutions in the
Philippines under R.A. 10173 (Data Privacy Act of 2012)?

Equifax faced massive multimillion-dollar fines to settle a major data breach that
compromised millions of people’s personal information. This case can be compared
to financial institutions in a way that if one does expose personal data belonging to
clients, it can still be held responsible even if it is done unknowingly. As a result, the
company may face legal consequences such as civil charges and be required to pay
fines to settle the issues.

VI. The Carbanak cybercriminals used ATMs to steal money without

breaking into banks physically. How can financial institutions protect ATM
networks from such attacks in the future?

Keeping the ATM software separate from other systems helps to avoid being
compromised by malicious software. This way, even if one system becomes
infected, the malware will be contained and will not spread across the whole
network. Moreover, a consistent monitoring of transactions is necessary to avoid
concealment of fraudulent activities.

VII. What role does AI-based fraud detection play in preventing social
engineering attacks like Carbanak’s phishing campaigns?

Artificial Intelligence instantly and continuously scans and analyzes vast amounts of
data to detect irregular patterns or behaviors within the system. This constant
monitoring allows AI to identify potential security threats in a timely manner before
they escalate and cause significant damage to the network. In addition, AI enhances
security by monitoring for suspicious activities in real time. It can detect phishing
attempts by analyzing messages or emails, such as receiving malicious links and
potentially harmful unknown senders.